On AWS EC2, I cannot do wget or curl, or any outbound connection

12
votes

On a freshly installed EC2:

  1. The Security Group is default. "All Traffic" is ALLOWed for 0.0.0.0/0 for both Inbound and Outbound.

  2. The "Network ACL" has some limitations for inbound as we want our website on this domain to be an internal network for our charity organisation. But from this server, we want to install some things via SSH so we need wget and curl. So the Outbound is also

    100 ALL Traffic 0.0.0.0/0 ALLOW

    • ALL Traffic 0.0.0.0/0 DENY

That last "DENY" is added by default.

With these settings, which seems to be quite normal, what else am I missing? Note that all iptables rules are flushed, and we do not use iptables to the best of my knowledge. All firewall stuff is managed by the Amazon VPC security settings.

Any thoughts or pointers? Thank you.

1
amazon-web-servicescurlamazon-ec2amazon-vpcaws-security-group
Just to add, we cannot ping or tracert or anything.Khom Nazid
You've done it backwards. Allow the desired access to your site via inbound security group (deny is implicit for everything not allowed) and put the network ACLs back to the "allow all" defaults in both directions. NACL is stateless, low-level, advanced functionality and almost certainly isn't doing what you think it does in the way you expect.Michael - sqlbot
I had the same issue where I could not make any outbound requests and turned out that having the inbound NACL rules set to same as security group rules was the culprit. I just set NACL Inbound to allow all and left the desired rules on the security group and was able to make outbound requests from box normally again.GameSalutes

1 Answers

15
votes

It appears that you are able to connect to your instance (via ssh or RDP), but you cannot access Internet resources from the instance. If so, things to check are:

  • Inbound Security Group: Not relevant (but probably OK since you are able to connect to the instance)
  • Outbound Security Group: Allow 0.0.0.0/0
  • Network Access Control Lists (NACLs): Start by allowing all traffic in & out to get things working, then limit them later per requirements. This is the default setting, too (as you listed, above)
  • Assign a public IP address (either when launching, or as an Elastic IP Address). If you are able to connect to the instance, then this is fine.
  • Launch the instance in a Public Subnet, which means the subnet has a rule in the Route Table that directs traffic to the Internet Gateway (if you are able to connect to the instance, then this is fine)

The fact that you can connect INWARDS suggests that your network settings are all correct. Being unable to initiate an OUTWARDS connection is normally due to an Outbound Security Group setting.